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We introduce a basic model for contracts. Our model extends event structures with a new relation, 
which faithfully captures the circular dependencies among contract clauses. We establish whether an 
agreement exists which respects all the contracts at hand (i.e. all the dependencies can be resolved), 
and we detect the obligations of each participant. The main technical contribution is a correspondence 
between our model and a fragment of the contract logic PCL ||6l . More precisely, we show that the 
reachable events are exactly those which correspond to provable atoms in the logic. Despite of this 
strong correspondence, our model improves |6| by exhibiting a finer-grained notion of culpability, 
which takes into account the legitimate orderings of events. 

1 Introduction 

Contracts will play an increasingly important role in the specification and implementation of distributed 
systems. Since participants in distributed systems may be mutually distrusted, and may have conflicting 
individual goals, the possibility that a participant behaviour may diverge from the expected one is quite 
realistic. To protect themselves against possible misconducts, participants should postpone actual col- 
laboration until reaching an agreement on the mutually offered behaviour This requires a preliminary 
step, where each participant declares her promised behaviour, i.e. her contract. 

A contract is a sort of assume/guarantee rule, which makes explicit the dependency between the 
actions performed by a participant, and those promised in return by the others. Event structures fTTl 
can provide a basic semantic model for assume/guarantee rules, by inteipreting the enabling ft h a as the 
contract clause: "I will do a after you have done b". However, event structures do not capture a typical 
aspect of contracts, i.e. the capability of reaching an agreement when the assumptions and the guarantees 
of the parties mutually match. For instance, in the event structure with enablings b\- a and a\- b, none of 
the events a and b is reachable, because of the circularity of the constraints. An agreement would still be 
possible if one of the parties is willing to accept a weaker contract. Of course, the contract "I will do b" 
(modelled as h b) will lead to an agreement with the contract b\- a, but it offers no protection to the 
participant who offers it: indeed, such contract can be stipulated without having anything in return. 

In this paper we introduce a model for contracts, by extending (conflict-free) event structures with a 
new relation Ih. The contract ah b (intuitively, "I will do a if you promise to do b") reaches an agreement 
with the dual contract b\\- a, while protecting the participant who offers it. We formalise agreements as 
configurations where all the participants have reached their goals. We show that the problem of deciding 
if an agreement exists can be reduced to the problem of proving a suitable formula in (a fragment of) the 
contract logic PCL [6|, where an effective decision procedure for provability exists. 

Once an agreement has been found, the involved participants may safely cooperate by performing 
events. Indeed, we prove that — even in the presence of dishonest participants which do not respect 
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their promises — either all the participants reach their goals, or some of them is culpable of not having 
performed her duties. A culpable participant may then be identified (and possibly punished). Also the 
problem of detecting duties and identifying culpable participants is related to provability in PCL . No- 
tably, while PCL does not distinguish between the immediate duties and those that will only be required 
later on in a computation (all provable atoms are considered duties in PCL), the richer semantical struc- 
ture of our model allows for a finer-grained notion of duties, which depend on the actual events already 
performed in a contract execution. 

2 Contract model 

A contract (Def . [T]l comprises a set of events E and a set of participants A. Each event e € £" is uniquely 
associated to a participant n{e) G A. Events are ranged over by a,b,.. ., sets of events by C,D,X,Y, . . ., 

and participants by A, B, Events are constrained by two relations: one is the enabling relation h 

of ifTTl . while the other is called circular enabling relation, and it is denoted by Ih. Intuitively, D\- e 
states that e may be performed after all the events in D have happened; instead, D Ih e means that e may 
be performed either if D has already happened (similarly to h), or possibly "on credit", on the promise 
that the events in D will be performed at some later time. The goals of each participant are indicated by 
the relation ok: A okX means that A is satisfied if all the events in X have happened. The composition of 
contracts is defined component-wise, provided that events are uniquely associated to participants. 

Definition 1. A contract S is a 6-tuple {E ^A^n^ok^h ^\\-), where: 

• E is a finite set of events; 

• A is a finite set of pwticvpmt?,; 

• 71 : E ^ A associates each event to a participant; 

• C yi X p{E) is the fulfillment relation, such that A okX A X C F =^ A ok Y; 

• he p{E) X E is the enabling relation; 

• Ih C ^(f") X E is the cixc\x\ss omblmg relation. 

We assume that both the enabling relations are saturated, i.e. X o e A X C F =^ Foe, for o £ {h, Ih}. 

The saturation of the relation ok models the fact that once a contract has been fulfilled (i.e. a state is 
reached where all participants say ok), additional events can be neglected. 

For notational convenience, we shall sometimes omit curly brackets around singletons, e.g. we shall 
write a\- b instead of {a} h b, and we shall simply write h e for h e. Similar abbreviations apply to Ih. 

Example 2. Suppose there are three kids who want to play together. Alice has a toy airplane. Bob has 
a bike, while Carl has a toy car Each of the kids is willing to share his toy, but they have different 
constraints: Alice will lend her airplane only after Bob has allowed her ride his bike; Bob will lend his 
bike only after he has played with Carl's car; Carl will lend his toy car if the other two kids promise 
that they will eventually let him play with their toys. These constraints are modelled by the following 
contract C, where we only indicate the minimal elements of the relations h, Ih and ok: 

E = {a,b,c} {Zj} h a {c}\-b {a,b}\\-c 

yi = {A,B,C} kok{b} ^ok{c} Cok{a,b} 
n{a) = A n{b) = B n{c) = C 



M. Bartoletti, T. Cimoli, G.M. Pinna, R. Zunino 



15 



In the previous example, it is crucial that Carl's contract allows the event c to happen "on credit" be- 
fore the other events are performed. We shall show that this leads to an agreement among the participants, 
while no agreement exists were Carl requiring {a,b} h c (cf. Ex.[5]l. 

In Def. [3]we refine the notion of configuration of ifTTl . so to deal with the new Ih-enablings. A set 
of events C is a configuration if its events can be ordered in such a way that each event e € C is either 
h-enabled by its predecessors, or it is Ih-enabled by the whole C. Configurations play a crucial role, as 
they represent sets of events where all the debts have been honoured. 

Definition 3. For all contracts C, we say that C (^E is a configuration of C ijf 

3eo,...,en. {{eQ,...,e„} = C A^i <n. {{eo, . . . ,ei-i} h ei V C \\- ei)) 
The set of all configurations ofQ is denoted by 3"e. 

Example 4. Not all sets of events are also configurations. For instance, in the contract with enablings 
a\\- b and b\\- a, the sets and {a,^} are configurations (in the latter, the use o/lh allows for resolving 
the circular dependency between a and b), while {a} and {b} are not. 

Example 5. The contract S of Ex. ^has configurations and E = {a,b,c}. Note that if Carl replaces 
his contract with {a,b} h c, then E no longer belongs to 3"^. 

Following the examples above we observe that, differently from other event-based models, if C is a 
configuration, not necessarily X C C is a configuration as well. Hereafter, subsets of E are called states, 
regardless they are configurations or not. 

Since our contracts have no conflicts (unlike [17|), the union of two configurations is a configuration 
as well. 

Lemma 6. For all contracts C, ifC G '^"'^^ D G 9"e, then CUD e 3"e- 

Given a configuration C and an event e, the set CU {e} is still a configuration if C h e or C Ih e. 
Otherwise, C U {e} is not a configuration. Compositional reasoning on sets of events (not necessarily 
configurations) requires to keep track of the events taken "on credit", as sketched in the proof of Th. [15] 

An event is reachable when it belongs to a configuration; a set of events X is reachable if every event 
in X is reachable. A reachable set is not necessarily a configuration (e.g. {a,b} in Ex. [2]); yet, there always 
exists a configuration that contains it. This follows by Lemma |6j which guarantees that configurations 
are closed by union. The set comprising all the reachable events is a configuration (actually, it is the 
greatest one). 

Lemma 7. Let X Q E be a reachable set of events. Then, 3C G 3"e. X C C. 
Lemma 8. C = \J{e eE \ e is reachable} G 3"e. and VC G 3"e- C C C. 

2.1 Agreements 

Informally, a contract admits an agreement when all the involved participants are happy with the guaran- 
tees provided by that contract. In Def. |9j we formalise an agreement on a contract C as a configuration 
of C where all the participants have reached their individual goals. E.g., the configuration E = {a,b,c} 
is an agreement on the contract C of Ex.|2| since P okE holds for P G {A, B, C} by saturation of ok. 

Definition 9. An agreement on C is a configuration C G 3"e such that VA G ^1 : A C. 
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We now establish the duties of a participant in a state where some events X have been performed. 
Although several different definitions of duties are possible, the common factor of any reasonable def- 
inition is that, in the absence of duties, all the participants must have reached their goals (see Th. [T3] ). 
Here we focus on a definition of duties where h is prioritized over Ih, i.e. an event may be performed on 
credit only if no other ways are possible. More precisely, an event e belongs to duties{k,X) if (/) e is not 
already present in X, but is in some configuration C, (//) 7i{e) = A, and (///) either e is h-enabled by X, 
or, if no h-enablings are possible from X, then e is Ih-enabled by some events in CUX. 

Definition 10. For all A, for all X, we define duties{A,X) as the set of events e ^X such that n{e) = A 
and there exists C G 3'e such that e £ C, and either X \- e or $e' £ C\X : X \- e' A 3D C CUX : D\\- e. 
A participant A is culpable in X when A has some duties in X. 

Example 11. Recall the contract Q of Ex. [2] By Def. [7^ in state only participant C is culpable, with 
duties{C,(Z)) = {c}; in {c} only B is culpable, with duties{B,{c}) = {b}; finally, in {b,c} only A is 
culpable, with duties {A, {b,c}) = {a}. 

Example 12. Let C be a contract with {af),ai} Ih a2, {ao,a2} ll~ ai, {ai,a2} \~ as, and h aa, where 
Tt{ai) = Aifor i E [0, 3]. We have that only Aq is culpable in 0; only fK\ and A2 are culpable in {ao}; only 
Ai is culpable in {ao^ai}; only A2 is culpable in {aQ,ai}; only A3 is culpable in {aQ,ai,a2}; finally, no 
one is culpable in C = {ao,ai,a2,a3} £ 3"e- 

The following theorem establishes that it is safe to execute contracts after they have been agreed 
upon. More precisely, in each state X of the contract execution, either all the participant goals have been 
fulfilled, or some participant is culpable in X. Note that, in consequence of Def. [TOj a participant can 
always exculpate herself by performing some of her duties. This is because, if D = duties{A,X) is not 
empty, participant A is always allowed to perform all the events in D, eventually reaching a state where 
she is not culpable (note also that in the maximal state E no one is culpable). 

Theorem 13. If an agreement on S exists, then for all participants A £ A, and for all X (1 E, either 
A okX, or some participant is culpable in X. 



2.2 A logical characterisation of agreements 

The problem of deciding if an agreement exists on some contract C is reduced below to the problem of 
proving formulae in the contract logic PCL ||6l. A comprehensive presentation of PCL is beyond the 
scope of this paper, so we give here a brief overview, and we refer the reader to ||6j|5l for more details. 

PCL extends intuitionistic propositional logic IPC with a new connective, called contractual impli- 
cation and denoted by Differently from IPC, a contract b ^ a implies a not only when b is true, 
like IPC implication, but also in the case that a "compatible" contract, e.g. a ^ b, holds. Also, PCL is 
equipped with an indexed lax modality says , similarly to the one in |[T3l . 

The Hilbert-style axiomatisation of PCL extend that of IPC with the following axioms: 

T ^ T — ^ (A says 0) 

(0 ^ 0) — )• (A says A says 0) — )• A says 

(0' — )- 0) (0 ^ (i/A i/) (0' -^y') ^w) ^ ^'^y^ 0) — ^ ^'^y^ ¥) 

The Gentzen-style proof system of PCL extends that of IPC with the following rules (we refer to H 
for the standard IPC rules, and for the rules for the says modality). 

rh^ r, p q, a \- p r, p ^ q, q \- b F, p ^ q, r h p T, p ^ q, q \- r 

T \- p ^ q T, p^qha^b T, p ^ q h r 
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Notice the resemblance between the last rule and the rule (— s-L) of IPC: the only difference is that here 
we allow the conclusion r to be used as hypothesis in the leftmost premise. This feature allows ^ to 
resolve circular assume/guarantee rules, e.g. to deduce a and b from the formula a ^ b f\ b ^ a. 

The proof system of PCL enjoys cut elimination and the subformula property. The decidability of 
the entailment relation hpcL is a direct consequence of these facts (see [6 | for details). 



In Def. 14 we show a translation from contracts to PCL formulae. In particular, our mapping is a 
bijection into the fragment of PCL (called lA/^-PCL) which comprises atoms, conjunctions, says, and 
non-nested (standard/contractual) implications. 

Definition 14. The mapping [•] from contracts into IN -PCL formulae is defined as follows: 

[(A- o ai)i] = A; [Di oat] if^^^ 

where [o\ = s 

[{di I / G J} oa] = 7i{a) says (A,Ga ^{'^d ^'^J^ if° — "~ 

Theorem 15. For all contracts C, an events e is reachable in C iff [C] hpcL says e. 

Proof. (Sketch) We extend the definition of configuration, by allowing events to be picked from a set X, 
in the absence of their premises. We say that C C £" is an X -configuration of C iff X C C and 

3eo, ■ ■ .,en G C. {eo,.. .,en} = C A V/ < «. [a GX V {eo, . ..,ei-i} h Cj V Clh a) 

This allows, given an X-configuration, to add/remove any event and obtain an y-configuration, possibly 
with Y X. We shall say that the events in X have been taken "on credit", to remark the fact that they 
may have been performed in the absence of a causal justification. Notice that Def. [3] is the special case 
of the above when X = Q. An event e is X-reachable if it belongs to some X-configuration. For all X, we 
define the set Jl{X)by the following inference rules: 

Dhe DC3?(X) D\^e DC3l{XU{e}) eeX 



e G 3i{X) e G Oi{X) e G ^{X) 

The set 3?(X) is used as a bridge in proving that e is X-reachable iff [C], X hpcL e. We prove first that 
3?(X) contains exactly the X-reachable events, and then we prove that [C], X hpcL e iff ^ G 3?(X). The 
actual inductive statement is a bit stronger. For all conjunction of atoms cp and for all sets of conjunctions 
of atoms we denote with Jp and the sets of atoms occurring in cp and in <I>, respectively. Then, we 
prove that for all (p and for all <t>: Ip C Jl(<t>) <;=^ [C],<I> I~pcl <P- The (<;=) direction is proved by 
induction on the depth of the derivation of [C],<I> hpcL <P- For the (=^) direction, we let e £(p, and then 
we proceed by induction on the depth of the derivation of e G 3?(<I>). □ 

The following theorem reduces the problem of deciding agreements to provability of PCL formulae. 
Concretely, one can use the decision procedure of lA^-PCL to compute the set C of reachable events. 
Then, an agreement exists iff each principal A has some goals contained in C. 
Theorem 16. A contract C admits an agreement iff: 

VA £A. 3G C E. (A okG A G G : [6] hpcL 7i{e) says e) 

Proof. (=^) Let C be an agreement on C, and let A = {A;};. By Def. |9| A; okC for all /. By definition 
of ok, there exist G, C C such that A,- okGi. Since G, C C G 3^q, then G,- is reachable. Therefore, by 
Theorem [Tsj [C] hpcL says e, for all e G G,-. 

(<;=) Let A = {A,},, and let {G,},- be such that A, okGi and [C] hpcL '^{e) says e for all / and for 
all e G G,. By Theorem [15} each G, is reachable. By Lemma [7} for all / there exists C, G "Jq such that 
Cj 5 G,-. By Lemma[6j C = U; Q G 3"e is an agreement on C. □ 
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Finally, note that also duties{/K,X) can be computed by exploiting the correspondence with PCL. 
More precisely, we use hpcL to compute the set of all reachable events, so obtaining the maximal con- 



figuration (Lemma^, and then to compute D h e as prescribed by Def. 10 



3 Related work 

Contracts have been investigated using a variety of models, e.g. c-semirings ||8l |9l \T2], behavioural 
types fTlIIOKlTl, logics [1, 16], etc. All these models do not explicitly deal with the circularity issue, 
which instead is the focus of this paper. 

Circularity is dealt with at a logical (proof-theoretic) level in the relation between reachability 
in our model and provability in the logic of IS is stated by Theorem [15] Compared to l'6'l, our model 
features a finer notion of duties: while [6] focusses on reachable events, Def. [T0| singles out which events 



must be performed in a given state, by interpreting D\- e as "I will do e after D has been done". 

In lITSll a trace-based model for contracts is defined. Similarly to ours, a way is devised for blaming 
misconducts, also taking into account time contraints. However, |[T5l is not concerned in how to reach 
agreements, so the modeling of mutual obligations (circularity) is neglected. It seems interesting to 
extend our model with temporal deadlines, which would allow for a tighter notion of agreement, and, 
more in general, with soft constraints, which could be used to model QoS requirements. 

In Ifl4l a generalization of prime event structures is proposed where a response relation (denoted 
with •— ;•) is used to characterize the accepting traces as those where, for each a •— b, if a is present 
in the trace, then b eventually occurs after a. The response relation bears some resemblance with our 
Ih relation, but there are some notable differences. First, having a\\- b does not necessarily imply that a 
configuration containing a must contain also b (another enabling could have been used), whereas a •— )• b 
stipulates that once one has a in an accepting configuration, then also b must be present. Indeed, an 
enabling ah b can be neglected, whereas a •— b must be used. Also, augmenting the number of Ih- 
enablings increases the number of configurations, while adding more response relations reduces the 
number of accepting configurations of the event structure. Finally, ifHl deals with conflicts, while we 
have left this issue for future investigation. 



4 Conclusions 

We have proposed a basic model for contracts, building upon a new kind of event structures which allow 
to cope with circular assume/guarantee constraints. Our event structures feature two enabling relations 
(the standard enabling h of 1 17|, and the circular enabling Ih), but they lack a construct to model non- 
determinism, and they only consider finite sets of events. Some preliminary work on a generalisation of 
our event structures with conflicts and infinite sets of events is reported in |2]. Further extensions to the 
basic model proposed here seem plausible: for instance, more general notions of goals, agreements and 
duties. Also, a formalisation of the intuitive notion of "participant protected by a contract", which we 
used to motivate the circular enabling relation, seems most desirable. 

Our contract model features an effective procedure for deciding when an agreement exists, and then 
for deciding the duties of participants at each execution step. These procedures are obtained by the means 
of an encoding of contracts into Propositional Contract Logic. In particular, our encoding reduces the 
problem of detecting whether an event is reachable, to that of proving a formula in PCL . The correct- 



ness of our encoding is stated in Theorem 15 An extension of such result is presented in ||2|, where 



configurations are characterised as provability of certain formulae in PCL . 
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A concrete usage scenario of our contract model is a protocol for exchanging, agreeing upon, and 
executing contracts. In the initial phase of the protocol, a special participant T acts as a contract broker, 
which collects the contracts from all the participants. Then, T looks for possible agreements on subsets of 
the contracts at hand. After an agreement on C has been found, T shares a session with the participants in 
C. As long as the goals of some participant have not been fulfilled, T notifies the duties to each culpable 
participant. Variants of this protocol are possible which dispose T from some of his tasks. Notice that 
reaching an agreement is an essential requirement for the security of this protocol: if an untrusted contract 



broker claims to have found an agreement when there is none, then Theorem 13 no longer applies, and 
a situation is possible where a participant has not reached her goals, but no one is culpable. Notably, 
participants can still protect themselved against untrusted brokers, by always requiring in their contracts 
the suitable (h / Ih) preconditions. This protocol can be formally described in the process calculus 
CO2 111. This requires to specialise the abstract contract model of CO2 to the contracts presented in this 
paper, and, accordingly, to make the observables in fuse /ask prefixes correspond to agreements/duties, 
respectively. Static analyses on CO2 , e.g. the one in |4|, may then be used to detect whether a participant 
always respects the contracts she advertises. 

Acknowledgments. This work has been partially supported by by Aut. Region of Sardinia under grants 
L.R.7/2007 CRP2-120 (Project TESLA) and CRP- 17285 (Project TRIGS). 
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